from the really,-guys? dept

While I still think the biggest story to come out of the Sony hacks is the fact that the MPAA had a plan to fund investigations of Google by public officials to get negotiating leverage over the company, a lot of other interesting tidbits have been revealed as well, including the fact that the MPAA still really, really believes in the idea of site blocking. It has listed it as a "high priority" item that was discussed in a recent anti-piracy strategy meeting bringing together the top lawyers from most of the major Hollywood studios:

As the TorrentFreak article above notes, the MPAA laid out a four prong approach to force site-blocking on the US. The Verge recently posted an MPAA email that described at least some of the strategy as well:

We have traditionally thought of site blocking in the US as a DMCA 512(j) issue. In some ways, that is too narrow and we plan to expand our scope of inquiry on two levels. First, DMCA 512(j), by its terms, necessarily creates an adversarial relationship with the target ISP (and more generally with the ISP community). We have been exploring theories under the All Writs Acts, which, unlike DMCA 512(j), would allow us to obtain court orders requiring site blocking without first having to sue and prove the target ISPs are liable for copyright infringement. This may open up avenues for cooperative arrangements with ISPs. Second, we start from the premise that site blocking is a means to an end (the end being effective measures by ISPs to prevent infringement through notorious pirate sites). There may be other equally effective measures ISPs can take, and that they might be more willing to take voluntarily. Our intention is to work with our own retained experts and Comcast (and MPAAâ€™s Technology group) to identify and study these other possibilities, as well as US site blocking technical issues.

The MPAA is right that 512(j) is likely a dead end. In fact, a legal analysis done by the MPAA's lawyers at Jenner & Block (the MPAA's preferred legal hatchet men) details why. The "All Writs Act" approach is nutty, and would lead to significant push back from a variety of parties (we just recently noted that the DOJ has been trying to use the All Writs Act to get companies to help decrypt encrypted phones). There would undoubtedly be a big legal fight over any such attempt. Other plans, like using the ITC or the Communications Act would also run into problems.

In fact, The Verge also just published some internal legal analysis from Jenner & Block explaining why the ITC route is really risky and unlikely to work, whether targeting transit ISPs (Level3, Cogent, etc...) or access ISPs (Verizon, Comcast, AT&T, etc...). Amusingly, the "alternative" to SOPA that was pushed out by some anti-SOPA folks in Congress actually would have made the ITC route more feasible, but the MPAA was among its loudest critics. And yet now suddenly it's exploring the ITC path? Ha!

Either way, the most insane part of all of this is the fact that, nearly three years after SOPA, the MPAA more or less admits in an email that it hasn't really analyzed the technological impact of site blocking (which was a key component of SOPA) and feels like maybe it should get on it. From the email sent by MPAA General Counsel Steven Fabrizio:

Technical Analyses. Very little systematic work has been completed to understand the technical issues related to site blocking in the US and/or alternative measures IPSs might adopt. We will identify and retain a consulting technical expert to work with us to study these issues. In this context, we will explore which options might lead ISPs to cooperate with us.

Talk about putting the anti-piracy cart before the internet horse...

Meanwhile, the MPAA -- recognizing the shit storm created by SOPA -- has made sure that all of its site blocking efforts are to remain as quiet as possible (oops):

Be cautious about communications on site-blockingâ€”continue building a record of success where possible, but avoid over-communicating and drawing negative attention.... Where site-blocking is actively under consideration, make available research (1) that site-blocking works and (2) that it does not break the Internet (lack of "side effects"). [Do this] in closed-door meetings with policymakers and stakeholders, [but] not necessarily publicized to a wider audience.

Yes, make sure people think site blocking "works" even though the MPAA doesn't have the requisite technical knowledge to understand it. So, in the interest of open source research, I'm going to help the MPAA out a bit and explain to them why site blocking is stupid and massively counterproductive. I mean, they could just look at what's happened in the past few weeks since The Pirate Bay went down, leading tons of other sites to pop up and (as reported in Variety -- normally a keen source of spinning in favor of the studios) the actual impact on infringement online was basically nil.

But, let's take this a step further. Let's say... for example, that the MPAA succeeded in having certain "evil" sites blocked. Thankfully, at about the same time as these meetings were going on, the MPAA also gave Congress a list of the sites it considered "notorious." Let's take one -- how about torrentz.eu -- and do a basic Google Search showing what results would come up if Goliath Google were forced not to link to the site (which is slightly different from site blocking, but the MPAA is also talking about similar efforts to get full domains "removed" from Google as an alternative to site blocking -- and the end results would be pretty much the same thing). Take a look:

If you can't see it, it's basically a bunch of links to pages listing out where you can go instead of that particular site. In short, site blocking is stupid. It won't actually cut down on any infringing activity, and it's easily gotten around, whether by VPNs or just by doing a rather basic search. Now, of course, the MPAA and its friends would likely still blame Google for this state of affairs, but I'm curious how the MPAA contends that Google should return results on such a site if it's been blocked or removed from search? How could it possibly also block out links to sites that list alternatives? Or is part of the plan to expand the censorship all the way down the pile so that any site that even mentions sites that the MPAA declares "notorious" also need to be blocked? Because if that's the case, they're going to run into a pretty massive First Amendment question before long.

The problem -- as always -- is that the MPAA still thinks that the public is stupid, and that if they can successfully "block" sites that people will stop looking for alternatives. The reality is that the way to get people to stop looking for unauthorized alternatives is to make better authorized alternatives -- but that's clearly still not a priority for the MPAA. And that's a real shame.

And none of this even touches on the problems with false positives (something that's already happened a bunch) or how site blocking might seriously screw up certain security setups, like DNSSEC (something the MPAA was clearly warned about during the SOPA fight, but which it still seems to deny is a real problem). In fact, during a recent secret "Site Blocking" meeting by the MPAA, it still appears to mock the idea that site blocking would break the internet by messing up DNSSEC. That's because the MPAA still doesn't seem to fundamentally understand the issues at play. If they actually talked to some real engineers at ISPs, maybe they'd learn that this whole infatuation is misguided and won't work.

In short, the MPAA sees site blocking as a priority because it doesn't understand the first thing about site blocking and why it would fail -- and that's speaking legally, technically and using just basic common sense. So why is the MPAA so focused on that, rather than actually innovating and adapting? This is what happens when you put a bunch of litigators, rather than innovators, in charge.

from the bad-reporting dept

We've already written about Senator Leahy's decision to delay the implementation of DNS blocking in PIPA. Unfortunately, despite the clear words in the announcement, it appears that Leahy's staff is going around suggesting to the press that this means he's dropping DNS. Thus you get reports in Wired and in ReadWriteWeb saying that Leahy is offering to remove the DNS blocking provisions. That's exactly what Leahy's staff would like people to believe, in the hopes that this makes the bill palatable. First, it wouldn't actually make the bill palatable, but it's important to read what Leahy actually said:

As I prepare a managers' amendment to be considered during the floor debate, I will therefore propose that the positive and negative effects of this provision be studied before implemented...

That is NOT removing the DNS blocking provisions. It is merely delaying them.

Furthermore, since the DNS blocking was such a key component of the bill and, at the very last minute, Leahy is suddenly claiming that we can all ignore that section for the time being, isn't that reason enough to stop and wait, rather than rushing this bill forward? Leahy is admitting that he did not and still does not understand a key provision in his bill. Do we really think that's the only provision he did not understand? Shouldn't this, alone, be evidence that this bill needs to be rethought entirely? This isn't a reason to move forward. It's the opposite. It's a reason to put this bill aside and spend some time actually understanding the issues at play.

from the let-the-geeks-be-geeks-please dept

There's been plenty of talk, obviously, about the problems with SOPA and PIPA and how they treat DNS as a tool for blocking, despite the massive problems it causes for security efforts like DNSSEC. Every single working engineer who's spoken out on this issue (that we've seen, at least), has made this same point. We've even heard from techies within the government saying the same thing. And, of course, even Comcast itself (despite supposedly being in favor of the bill) proudly admits that DNS blocking is incompatible with DNSSEC. Even as the House and Senate are trying to punt on DNS issue, they still fully expect to put it in place at a later date, so it's important to discuss why it's a bad, bad idea.

So far, the "pro-SOPA/PIPA" folks haven't been able to find a legitimate working technologist who says that these plans make sense. Instead, they've brought out some "policy analysts" who have some basic technology background, but not a deep understanding of DNS. But, because they can toss around some tech terms, SOPA/PIPA supporters think they sound credible. However, in his latest post on the subject, Vixie walks through a step-by-step explanation for why each suggested method of DNS blocking won't work and/or breaks DNSSEC. Basically, these "policy analysts" keep suggesting different ways that they think DNS blocking could work, and Vixie explains why they're wrong each time, and points out the importance of actually having DNS engineers do DNS engineering -- not policy analysts.

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers....

And yet... it's not being designed by DNS engineers at all. It's being designed by policy people, with a smattering of help from some former technologists who don't really understand DNS. That seems like a pretty big problem.

from the well-look-at-that dept

Well, well, well. Here's something interesting. Comcast, who owns NBC Universal (one of the main forces behind SOPA/PIPA), is officially a SOPA/PIPA supporter. However, yesterday, Comcast put up a post congratulating itself (deservedly so!) for completing its DNSSEC deployment, making it "the first large ISP in the North America to have fully implemented" DNSSEC across the board. That's huge, and a clear vote of confidence for DNSSEC, obviously. They also urge others to use DNSSEC:

Now that nearly 20 million households in the U.S. are able to use DNSSEC, we feel it is an important time to urge major domain owners, especially commerce and banking-related sites, to begin signing their domain names. While in the past those domains may have wanted to do so but felt it would have limited effect, they now can work on signing their domains knowing that the largest ISP in the U.S. can validate those signatures on behalf of our customers.

All of this is good... but what may be much more interesting is that, along with this announcement, Comcast has also mentioned that it is shutting down its Domain Helper service. Domain Helper was a somewhat controversial DNS-redirect system, so that when you mistyped something, it would suggest the proper page or alternatives. Many in the internet community complained that these types of redirects mess with the underlying DNS system (which they do). But, as the DNS experts have been saying all along (and NBC Universal has been trying to play down), DNSSEC is incompatible with such DNS redirects. So... that makes this next part a little awkward. Comcast is now admitting, indeed, that DNS redirects, such as Domain Helper, are incompatible with DNSSEC:

When we launched the Domain Helper service, we also set in motion its eventual shutdown due to our plans to launch DNSSEC. Domain Helper has been turned off since DNS response modification tactics, including DNS redirect services, are technically incompatible with DNSSEC and/or create conditions that can be indistinguishable from malicious modifications of DNS traffic (including DNS cache poisoning attacks). Since we want to ensure our customers have the most secure Internet experience, and that if they detect any DNSSEC breakage or error messages that they know to be concerned (rather than not knowing if the breakage/error was "official" and caused by our redirect service or "unofficial" and caused by an attacker), our priority has been placed on DNSSEC deployment -- now automatically protecting our customers...

Let's be doubly clear about this, because it's important. Just as NBC Universal and other SOPA supporters continue to insist that DNS redirect is completely compatible with DNSSEC... Comcast (and official SOPA/PIPA supporter) has rolled out DNSSEC, urged others to roll out DNSSEC and turned off its own DNS redirect system, stating clearly that DNS redirect is incompatible with DNSSEC, if you want to keep people secure. In the end, this certainly appears to suggest that Comcast is admitting that it cannot comply with SOPA/PIPA, even as the very same company is advocating for those laws.

It would appear that the left hand (people who actually understand technology) isn't speaking to the right hand (lawyers/lobbyists) within the Comcast family. But, I think that NBC Universal and anyone else insisting that DNS redirects are fine in DNSSEC owe everyone else a pretty big apology... when their own company's experts are admitting that the two are incompatible.

from the good-to-see dept

While Lamar Smith and the House Judiciary Committee still have refused to hear from the actual technology experts, Rep. Issa has now scheduled a SOPA-related hearing... in his House Oversight Committee, and it will finally allow tech experts to speak about the technological impact of SOPA. It's a good list of speakers including: famed security researcher Dan Kaminsky (who co-authored the paper about problems of SOPA with Paul Vixie and others), Stewart Baker (former DHS/NSA top official, who has warned about SOPA harming internet security), Dr. Leonard Napolitano (from Sandia National Labs, who also warned about the security problems), Michael Macleod-Ball (from the ACLU). And representing the startup world, we've got Brad Burnham (from Union Square Ventures -- probably the most sought after VC firm for startups today) and Alexis Ohanian, the entrepreneur behind Reddit, Hipmunk and Breadpig, and who has been an outstanding advocate for why SOPA is dangerous. Think of this as the hearing that Lamar Smith didn't want you to hear. Update: Reasonable point in the comments: this hearing is extremely one-sided as well. Perhaps that's fitting "counter-balance" for the pro-SOPA hearing that the Judiciary Committee held, but it still would be nice to have at least some "pro-" voices on the hearing. Of course, can you think of an actual, respected technologist who is in favor of SOPA? Yeah... didn't think so...

from the not-so-fast,-daniel-castro dept

We recently discussed how ITIF's Daniel Castro (who's been credited with pushing a SOPA-style censorship program to government officials in the first place) bizarrely used the web censorship done by 13 of the most oppressive governments to support his case that censorship under SOPA would work. The argument was based on a Harvard/OpenNet Initiative to study how the internet is censored and used in various repressive nations. The authors of that study have now come out pretty strongly against Castro for his misuse of their report, and have explained in detail how Castro's assumptions are wrong and his quoting their study is done entirely out of context.

we disagree with the way that Mr. Castro applies our findings to the SOPA debate. His presumption that people will work as hard or harder to access political content than they do to access entertainment content deeply misunderstands how and why most people use the internet. Far more users in open societies use the Internet for entertainment than for political purposes; it is unreasonable to assume different behaviors in closed societies. Our research offers the depressing conclusion that comparatively few users are seeking blocked political information and suggests that the governments most successful in blocking political content ensure that entertainment and social media content is widely available online precisely because users get much more upset about blocking the ability watch movies than they do about blocking specific pieces of political content.

Rather than comparing usage of circumvention tools in closed societies to predict the activities of a given userbase, Mr. Castro would do better to consider the massive userbase of tools like bit torrent clients, which would make for a far cleaner analogy to the problem at hand. Likewise, the long line of very popular peer-to-peer sharing tools that have been incrementally designed to circumvent the technical and political measures used to prevent sharing copyrighted materials are a stronger analogy than our study of users in authoritarian regimes seeking to access political content.

Furthermore, they argue that the bill that Castro is so desperately in favor of would have disastrous consequences, in that it would deny important circumvention tools to those in repressive countries:

Second, our research has consistently shown that those who really wish to evade Internet filters can do so with relatively little effort. The problem is that these activities can be very dangerous in certain regimes. Even though our research shows that relatively few people in autocratic countries use circumvention tools, this does not mean that circumvention tools are not crucial to the dissident communities in those countries. 19 million people is not large in relation to the population of the Internet, but it is still a lot of people absolutely who have freer access to the Internet through the tools. We personally know many people in autocratic countries for whom these tools provide a crucial (though not perfect) layer of security for their activist work. Those people would be at much greater risk than they already are without access to the tools, but in addition to mandating DNS filtering, SOPA would make many circumvention tools illegal. The single biggest funder of circumvention tools has been and remains the U.S. government, precisely because of the role the tools play in online activism. It would be highly counter-productive for the U.S. government to both fund and outlaw the same set of tools.

We noted that Castro's paper read like a joke from the beginning, and the more people dig into it, the more ridiculous it seems.

from the how-congress-works dept

So, if you weren't paying attention, yesterday was a marathon session of SOPA amendments... It ran for 11.5 hours, with just one tiny break, and it looks like they didn't even get through half of the amendments. I'll get into some more details in a bit, but honestly the single best description of the insanity of these hearings came from The Washington Post's Alexandra Petri, who called them "nightmarish."

If this were surgery, the patient would have run out screaming a long time ago. But this is like a group of well-intentioned amateurs getting together to perform heart surgery on a patient incapable of moving. “We hear from the motion picture industry that heart surgery is what’s required,” they say cheerily. “We’re not going to cut the good valves, just the bad — neurons, or whatever you call those durn thingies.”

This is terrifying to watch. It would be amusing — there’s nothing like people who did not grow up with the Internet attempting to ask questions about technology very slowly and stumbling over words like “server” and “service” when you want an easy laugh. Except that this time, the joke’s on us.

That really describes the situation perfectly. Over and over again the people in favor of this bill flat out admitted that they didn't understand the technology -- and when the various people opposed to it asked why don't they get some experts in to answer some questions, the supporters had no credible response. The DNS and security aspects were completely brushed aside. As Rep. Jason Chaffetz (who is fighting the good fight against this) pointed out repeatedly, there's simply no reason to rush this bill when there are such widespread concerns about it and no one has taken the time to get the answers to key questions.

But the supporters of the bill -- mainly Reps. Lamar Smith, Bob Goodlatte and Mel Watt -- simply wanted to push forward at all costs. They rejected every amendment raised, except two minor ones (we'll get to that in a minute). Amazingly they rejected all sorts of quite reasonable suggestions -- while complaining that those opposed to the bill never had any suggestions to fix it! And yet when those actual proposals were brought up, they were rejected out of hand. It really was pretty disgusting. Goodlatte's responses struck me as particularly inane. He kept rejecting amendments because he feared that the amendment could be abused. The fact that most of those amendments were to prevent the much wider scale abuses guaranteed under SOPA never seemed to occur to him.

In fact, supporters of the bill regularly used arguments that actually could have been turned around on them. They refused an amendment from Rep. Darrell Issa to limit the powers of the bill to those who actually were in the US, saying that it would set a bad precedent for countries like China... and this came just after they were totally outraged that anyone might think that the entire bill itself sets a bad precedent for countries like China. The disingenuous bullshit was really ridiculous.

Rep. Watt was particularly keen to display his own ignorance. He regularly admitted that he wasn't very knowledgeable on technology -- which should have been a reason to recuse himself or to at least ask for more info from experts. Instead, he just insisted that all of the technical experts were simply wrong. Based on what? Nothing. How does someone like Watt get elected when he appears to want to regulate the internet based on pure faith and against what every single expert has said? It's downright scary.

Later, Watt angrily rejected an amendment to clarify some language to make sure it was limited -- by saying that he believed the language already said what the amendment added. If that's true, why reject the amendment? All it would do is make the intent clear. Instead, he said no. That makes no sense at all.

What was clear, from the beginning, was that the SOPA supporters were not there in good faith. They had no intention of listening to reasonable suggestions to fix the bill, and stuck together as a bloc to reject pretty much all of them -- even while admitting their own ignorance. The really sad part was when Goodlatte tried to equate the views of a couple of policy analysts who get money from the entertainment industry, with the views of nearly 100 independent internet engineers who have pointed out how problematic SOPA really would be. Watt and others tried to pretend that because each side could turn up someone who would say something that those views were equal. It's the insane Congressional equivalent of "he-said/she-said" journalism, where you "hear" both sides, but never seek out the truth. That's nuts.

The simple fact is that nearly every single actual credible internet engineer has come out against these bills. There isn't an equivalence where each side can turn up a few people. The scales are completely weighted down against the bills... and many of those people have no associations whatsoever -- even as SOPA defenders insisted that only "Google" experts were against the bill. Stewart Baker isn't speaking for Google. Sandia National Labs isn't speaking for Google.

The real insanity is that supporters of the bill are rushing forward just because they want to pass "something," and they don't seem to care about the consequences.

As for the two amendments that did pass, one was to say that if you "knowingly misrepresented" a claim on a site, you had to pay attorneys' fees. Of course, "knowingly misrepresent" is a very, very high bar that will almost never be met. A similar amendment by Rep. Chaffetz that would also require fees if you failed to get an injunction in court was rejected, because SOPA supporters were worried this would scare people off. As Chaffetz pointed out: that's the whole point. It would scare off those who don't have strong, legitimate claims.

The other amendment that passed right at the end, was from Rep. Jared Polis, requiring the State Department to do a study on the eventual impacts of SOPA. That doesn't change the law really. It just will at least let people check back in on the damage it does a couple years from now.

A few other key points:

Huge kudos to Reps. Issa, Lofgren, Chaffetz and Polis, who combined to repeatedly point out the problems of the bill and to argue forcefully and compellingly about why we needed to fix these problems. That much of the rest of the Committee ignored these concerns, played them down, or rejected them for silly or nonsense reasons, is really just a statement on the sad state of Congress today.

I heard from sources that a big time content industry lobbyist was seen hanging out in the "members only" area during the session. If that doesn't tell you everything you need to know about what's going on, then you're not paying attention.

There was a bizarre elementary school-like fight that went on at one point. Rep. Steve King tweeted early on:

We are debating the Stop Online Piracy Act and Shiela Jackson has so bored me that I'm killing time by surfing the Internet.

Rep. Jackson-Lee found out about this and announced that she was "offended," at which point it seemed like a bunch of these old clueless men started arguing about how inappropriate it was for her to say she was offended. The whole session had to pause while they talked to a "parliamentarian" about whether it was okay to use the term "offended," eventually leading Jackson-Lee to change her statement. Yeah. These are the people in charge of making our laws. Scary.

With the session going on for 11.5 hours, there was a short break for lunch, but for dinner Rep. Lamar Smith offered "four kinds of pizza," but apparently only for other members. Staffers had to sit and starve. Nice of them, huh?

All in all, the process should leave you frightened for our country. This was not an attempt to fix a broken law. It was an attempt to please some Hollywood funders at the expense of innovation and jobs. It's insanity.

That said... if you want to watch more of it today, tune in either at the Judiciary website or the KeepTheWebOpen site and make sure you have a pillow nearby for when you want to bang your head on the desk or wall. Once again, I'll be live-tweeting some of the hearing (don't think I can make all of it) from my personal Twitter account.

from the wait,-what? dept

Daniel Castro from the Information Technology and Innovation Foundation (ITIF) is the guy who has been highlighted for coming up with the idea of censoring the internet to deal with copyright infringement online. In 2009, he wrote a whitepaper suggesting just such a strategy, and since then has been a vocal champion of the approach that mimics China's Great Firewall.

He's issued a "response" to "critics" over the bills which is, frankly, an embarrassment for supporters of these bills. There may be some compelling ways to defend these disasters (though I doubt it), but Castro's paper is beyond ridiculous. It rolls out all the usual bogus tropes, talking up the "size" of the problem with claims that simply aren't backed up by the data at all. But it's main focus is trying to respond to the claims of all sorts of people who actually understand internet security, about how DNS blocking would be a disaster. At this point, the incredible thing is that supporters of SOPA/PIPA have yet to come up with a single credible person who thinks DNS blocking is a good idea. On the flip side, DNS experts like Paul Vixie and David Ulevitch have been vocally opposed. In addition, there are other folks like Stewart Baker, the former Homeland Security Assistant Secretary and former NSA General Counsel, as well as the folks at Sandia National Labs, experts in internet security, who are opposed to it as well. All of them have pointed out that DNS blocking won't work, will likely make things worse, and will have disastrous consequences for internet security. These are people who understand this stuff at its core. On the other side? We've got Daniel Castro. There's a lot of ridiculousness here, but let's start with the most insane part, the response over how this will kill DNSSEC. Castro seems to suggest that those who use DNSSEC can just ignore the law:

PIPA/SOPA states that service providers are required to take only “technically feasible and reasonable measures” to comply with government court orders. The legislation further states that a service provider is not required to “modify its network, software, systems, or facilities” to comply with these requirements. This means that if DNS servers are deployed using DNSSEC, and if DNSSEC does not allow for the type of redirection or filtering specified in the legislation, ISPs would not need to take action. Thus there is no reason to suspect that ISPs would delay deploying DNSSEC because of provisions in SIPA/PIPA. If anything, to the extent that any ISPs oppose DNS filtering for ideological or technical reasons, the DNS filtering requirements in PIPA/SOPA would serve as a catalyst for ISPs to upgrade to DNSSEC since this may free them of unwanted obligations.

Really? Is he really arguing that if you're running DNSSEC, you can ignore the government's official blacklist? Why do I get the feeling that any provider that actually does that will quickly find themselves hauled into court for... "enabling" or "facilitating" infringement? How can anyone take this seriously?

While technology should shape policy, it should not determine policy. The U.S. policies on the Internet should not be determined by the ideological points of view of a few network engineers in the IETF. Policymakers routinely ask the private sector to design systems to meet new technical standards so as to achieve a specific policy outcome.

This is either ignorant or just stupid. DNSSEC has been under development for sixteen years. Part of the reason it's taken so long is because this is not easy. Castro's flippant suggestion that we just ignore the technological issues is downright scary. If the technology is carefully set up and clueless think tankers and regulators are about to throw a decade plus of careful development out the window for a "problem" they can't actually show with a "solution" that won't work... it seems pretty damn reasonable to raise the technological issues.

DNSSEC, as with many technical standards, is not an immutable set of rules carved by God on stone tablets. Although DNSSEC has been codified in various technical documents, it continues to evolve over time as researchers propose new modifications to the standard to address various limitations. The question policymakers should be asking is not whether the proposed solution is compatible with the current version of DNSSEC, but how to craft policies that best take advantage of potential improvements in the DNSSEC standard.

Ah, the MPAA's "you techies can just change the code" argument. Once again, displaying a massive ignorance of what has happened over the last 16 years and the effort that has gone into creating DNSSEC and then beginning the process of getting it out there. Is Castro really suggesting that we go back to the drawing board, and leave security issues ignored for another decade and a half? Just because some movie studios are too lazy to adapt? That's scary.

Opponents of PIPA/SOPA, such as the Internet Society and Crocker et al., argue that DNS filtering will “puts users at risk.”31 However there are no security risks from DNS filtering. Instead, the purported security risks for users come about only for those Internet users who begin using alternative DNS services (i.e. those individuals intent on breaking the law). Yet, as we have seen, to date there is little evidence that the average user will begin using these alternative DNS services. In fact, users will be unlikely to use an alternative DNS service precisely because of the security risks.

This is a disgusting smear from Castro, suggesting that the only people who might use alternative DNS systems are intent on breaking the law. Does he really not think that some people might not trust the US DNS system once it's been given orders for an official blacklist of sites to censor?

The Internet Society argues that DNS filtering “has the potential to restrict free and open communications and could be used in ways that limit the rights of individuals or minority groups.” Of course it could. ISPs or the U.S. government could use DNS filtering to block sites they do not like. But guns can be used by criminals to kill people too and that does not mean that we do not let the police or security guards have guns.

Is he really arguing that DNS filtering isn't censorship in the US because we're giving it to "the good guys"? That seems to be the argument here... and it's ridiculous. The censors in China and Iran consider themselves the good guys too. Is this really the message we want to send to the rest of the world? Just make sure you say your official censors are "police" and all is good, according to Daniel Castro.

Critics of PIPA/SOPA are trying to suggest that if a user is prevented from obtaining a pirated copy of the latest Hollywood film, this is an unlawful restriction of their Constitutional rights.

No, actually, that's not what they're arguing. They're arguing that this idiotic censorship system Castro is supporting will censor plenty of protected speech, which is a restriction of their Constitutional rights.

Ironically, many of the voices arguing that DNS filtering does not solve the core issue, which is that pirated content is made available online, often are the same ones opposing digital rights management (DRM) technology that is created to achieve the very goal of eliminating pirated content.

That's not ironic. Neither DNS filtering nor DNS achieve the goal in question. The position of being against draconian, overly aggressive technology that harms consumers rights and is likely to be abused, is entirely consistent.

There's a lot more in the paper like this, but you get the idea. There's barely a sentence in there that's reasonable or sensible.

from the the-toothpaste-will-come-out-somewhere dept

Last night, there was an interesting panel at Stanford discussing many of the problems with SOPA. It covered a lot of the ground that we've covered here over the past few months, but there were a few interesting moments. Paul Vixie, who has been a very vocal opponent to DNS blocking, explained why it wouldn't work, and how it would cause a lot of other problems... but he also noted that he was probably going against his own self-interest in making this argument. That's because the problems caused by SOPA/PIPA's DNS blocking would need fixing... and he suggests lots of folks would come to his company and pay for fixes. So it's a pretty principled stand by Vixie.

A separate point that was raised by Mark Lemley early on was that this argument that those in the US simply can't go after foreign sites is ridiculous. Under existing law, it's happened plenty of times in the past where copyright holders have gone after sites and companies based outside of the US and dragged those folks into US courts.

The vast majority of the evening proceeded with the implicit assumption that everyone there was categorically opposed to SOPA... but towards the end two execs from Paramount Pictures made it known they were there, and they were very much on the other side. The temperature in the room must have dropped 20 degrees when that happened. To be honest, the panel itself might have had a few more fireworks (though likely wouldn't have been that productive) if there had been a SOPA supporter on the panel itself. Of course, the Paramount guys, in typical Hollywood fashion, made a bunch of false assumptions. Perhaps the best part was when one of them challenged venture capitalist Albert Wenger by claiming that the companies in his portfolio used intellectual property laws to protect their business: to which Wenger immediately shot back that they did not, and that they didn't support such things at all. Instead, he noted that the companies his firm (Union Square Ventures) invests in tend to win in the marketplace by competing and winning. He noted that even if they completely gave away the source code of Tumblr (one of USV's investments), it wouldn't matter. In fact, he pointed out that another company had copied Tumblr feature-for-feature... but they couldn't get users. The point is clear, and it's the same point we've made here for years: focusing on copyright to protect yourself is not a good business model, and not something they invest in. Instead, they focus on things that can succeed by executing even if someone copies them line for line.

Finally, there was an entertaining moment when Andrew Bridges asked the Paramount guys exactly how many sites they saw as a problem. Because, he noted, other studio execs from some of the big Hollywood studios had given him numbers between 10s and a few hundred. And, he noted, if it's just such a small number of sites, then why create massive regulatory issues for the entire internet, rather than trying to deal with the sites. The problem is that Hollywood wants control over much more than what's really "the worst of the worst." However, when someone suggested it was "a couple hundred" sites that were problems, Mark Lemley pointed out that then they should be all done, because ICE has already seized 450 domains.

All in all it was an interesting evening. The specific discussions on the problems of DNS blocking were particularly enlightening. It's why when the House had its ridiculously one-sided hearing on SOPA last month -- in which not a single panelist knew anything about DNS -- they should have had someone like Paul Vixie there to explain the basics of why SOPA and PIPA are bad ideas that won't fix things and will likely make things worse.

There was one metaphor that was used repeatedly through the evening, and it's really quite apt. People kept noting that "the toothpaste is just going to come out somewhere else." It's a good way of noting the unintended consequences here. Plugging this "hole" and then putting pressure on sites may stop certain actions, but it won't deal with the real issue that Hollywood is facing. In fact, it's likely to cause more problems, as the toothpaste squirts out somewhere else, unexpectedly.

from the not-cool-folks dept

It's pretty difficult to question Paul Vixie's credibility when it comes to core internet infrastructure. Creator of a variety of key Unix and internet software, he's still most known for his work on BIND, "the most widely used DNS software on the internet." So you would think that when he and a few other core internet technologists spoke up about why PROTECT IP would break fundamental parts of the internet, people would pay attention. Tragically, PROTECT IP supporters, like the MPAA, appear to be totally clueless in arguing against Vixie. Their response is basically "it's fine to break the internet to evil rogue sites."

That, of course, is missing the point. It's not that anyone's worried about breaking the internet for those sites. It's that it will break fundamental parts of the internet for everyone else as well. And... it will do this in a way that won't make a dent in online infringement. Afterdawn sat down with Vixie who gave a clear and concise explanation of why PROTECT IP is a problem. The biggest issue is how it will impact DNSSEC, which adds encrypted signatures to DNS records to make sure that the IP address you're getting is authentic. You want that. Without that, there are significant security risks. But PROTECT IP ignores that.

Explained simply, for DNSSEC to work, it needs to be able to route around errors. But the way PROTECT IP is written, routing around errors will break the law:

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.

And, of course, none of these DNS efforts will actually stop infringement. As the Afterdawn article notes: "Bypassing DNS filtering is trivially easy. All you need to do is configure your computer to use DNS servers outside the US which won't be affected by the law."

And while supporters of PROTECT IP insist that there's nothing to worry about because it only impacts those "foreign websites," that's misleading in the extreme. PROTECT IP will impact a ton of US-based technology companies. First, if we have a less secure internet, that's going to be a problem for obvious reasons. Additionally, the way the law works is that it puts a direct burden on US companies to figure out ways to block sites declared rogue (you know, like the Internet Archive and 50 Cent's personal website), or face liability. This will increase both compliance and legal costs.

In the last few months we've been hearing from more folks in the startup world who are really concerned about the excessive burdens PROTECT IP is going to put on them. If you're an entrepreneur who's worried about this, we'd like to hear about it. Please contact us.